Helping people with computers... one answer at a time.
Sharing sensitive documents over the internet is both common and commonly done wrong. I'll look at the pitfalls and alternatives.
I wished to send some personal documents to my lawyer via Google Docs for security reasons but my attorney refused, saying that she doesn't "do Google Docs." Instead, she prefers that I send her my files of a personal nature via email attachments. I object to this as being far less secure than Google; SMTP is inherently insecure, but HTTPS is very secure. Forget about setting up encrypted email. How do I convince said lawyer that my privacy interests are paramount to her convenience interests?
Well, I can't answer that last question: it's difficult to persuade people who are set in their ways, as it sounds like your attorney might be.
I'll discuss some of the pros and cons of the two approaches that you mention and throw out a few additional ideas of my own.
I just went through this with my bookkeeper, who is decidedly more open minded and security aware.
Unencrypted email is perhaps the most common and by far, the least secure way to get any document from point A to point B. Email, and the document, travel unencrypted between mail servers and reside in unencrypted form on those mail servers while they await transmission or download.
Put another way: anyone with access to the servers or the ability to snoop in on the transmissions to and from the servers could read your email and documents.
Worse, any kind of email hiccup, like a mistyped email address or a hacked email account, could end up delivering those unencrypted documents into the hands of the wrong person.
Now, on the flip side, with the possible exception of hacked accounts, all of these accidents that could happen don't happen very often at all. Unless there's someone specifically looking to intercept your email, it's unlikely that anyone will.
Of course, communicating with an attorney would be one of those cases with a slightly higher than normal probability of someone actually being interested in doing just that.
Using Google Docs as a secure transmission medium is an interesting approach. You should be aware of a few possible issues:
You're placing sensitive information in the hands of a third party (Google), though admittedly, a third party whom you trust.
Google, having access to the documents, could be required to divulge them in response to a court order.
And, of course, if any account with access to the documents is hacked, the information can be exposed.
One approach that would work very well all around is natively encrypted email.
The problem is that the adoption of email encryption, including consistent support in major email programs, is nowhere near what it needs to be for this to work. On top of that, it's just not as simple to set up as it should be.
To be honest, I'm somewhat surprised that the legal profession as a whole hasn't been pushing harder for this solution to be more ubiquitously available.
This solution would be ideal because the documents would be encrypted before they leave your machine and would remain encrypted until they reach the destination machine. Simple account hacks or email interception would not allow someone to view their contents - they'd have to actually break in to one machine or the other and gain access to the encryption keys.
Another approach might be to manually encrypt your documents before emailing them to your attorney. You two would then share a password separately from email that would be used to decrypt the documents.
Tools, such as the most popular "zip" utilities (including 7-Zip), will allow you to encrypt a collection of documents into a single archive. AxCrypt will allow you to encrypt a single file. Tools like TrueCrypt could be used, I suppose, to send a virtual drive container file, but that would be pretty cumbersome.
Zip files are fairly ubiquitous; having one ask for a password on open might not be too much of a stretch for the less technically inclined.
At least with a strong password, you can feel safe emailing it as an attachment.
This turns out to be a potentially interesting solution. While it does involve installing Dropbox on both machines and trusting a third party, this could be the easiest of all solutions with a very high level of security.
By default, folders that you set up in Dropbox are private, meaning only machines that are logged into your Dropbox account can see the folder and its contents. This is the typical approach to sharing files across multiple machines used by the same person.
You can specify that folders be public, visible to the entire world, at a Dropbox web address. But that's definitely not what we want here.
Instead, you can specify that a folder be shared with another Dropbox user's account. That folder will then appear in both of your Dropbox folder trees.
Any documents that you place in that folder will be securely copied to the other person's machine, and vice versa.
In transit, the documents are protected with https connections and they are stored on the Dropbox servers in an encrypted form so that not even Dropbox employees can access the files. (More on dropbox security.)
If your attorney already is, or could be convinced to be, a Dropbox user, this could be a very easy and workable solution.
I'm a geek. I have my own server protected with https connections and access control. I simply uploaded the files there (securely, of course) to a location to which I gave my bookkeeper sole access.
Had that not worked, I would have suggested Dropbox.
If that hadn't been acceptable for whatever reason, I would have use encrypted attachments using 7-Zip.
And had that not worked, and no appropriate alternative had been suggested ... well, I guess I would have found another bookkeeper that more appropriately understood digital data security.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.